Swiss Data Protection Law - What to Consider?

Since September 1, 2023, the revision of the Swiss Data Protection Act (FADP) has been in force. The comprehensive new provisions contain both differentiations and numerous adjustments to the European Union's General Data Protection Regulation (GDPR). Particularly, the requirements for information, documentation, and reporting obligations are being tightened. You should definitely be aware of and implement the following provisions.

In principle, the FADP applies in Switzerland. However, the principle of impact applies. This means that the FADP must also be observed if data processing activities taking place abroad have an impact in Switzerland. Furthermore, it should be noted that when engaging in cross-border activities with EU countries, especially when processing data of EU citizens, the GDPR itself also applies. This must be assessed on a case-by-case basis.

Additionally, with the new amendment, the FADP exclusively applies to the processing of data concerning natural persons. Legal persons are not covered by the FADP.

Personal Data

Personal data are pieces of information that can either be directly attributed to a specific person or can be traced back to a specific person through additional information or data combinations. Practically all information that can be attributed to a natural person constitutes personal data.

Examples include general information (name, age, home address, marital status), physical characteristics, value judgments, bank details, online information (IP addresses), or customer data.

Especially Sensitive Personal Data

Certain personal data require particularly careful handling as they are extremely sensitive and can have significant implications for an individual's rights. These particularly sensitive data include information about ethnic origin, religion, disability or health status, sexual orientation, union membership, political opinions, as well as biometric and genetic data.

An example would be the disclosure of information about diseases, addictions, or risk behavior to health insurers, which could lead to affected individuals being excluded from supplementary insurance or burdened with higher premiums.

The distinction between personal data and particularly sensitive data is crucial because data protection law provides for increased protection for particularly sensitive personal data. This means that extended information obligations and stricter justifications for processing such data apply.

Specifically, for this category of data, a processing policy, a data protection impact assessment, and a processing record must be created.

Every company - regardless of its size - must comply with data protection obligations. Because every company processes data in one form or another, be it from customers, employees, suppliers, business partners, and many more. However, certain obligations only need to be fulfilled by specific companies that process a particularly large amount of data or whose processing is particularly risky.

Record of Data Processing Activities

According to Article 12 FADP, the company maintains a record of all data processing activities. Companies with more than 250 employees or those that process particularly sensitive personal data on a large scale or conduct profiling with a high risk are obliged to do so. However, maintaining a record of processing activities is also useful for smaller companies to gain an overview of current processing processes and to identify and rectify any deficiencies if necessary.

Risk Assessment and Data Protection Impact Assessment

For data processing activities that are relevant to data protection and pose a high risk to data subjects, a data protection impact assessment must be carried out according to Article 22 FADP.

Profiling

If profiling with a high risk is carried out, i.e., the linking of personal data from which personality traits of a person can be derived, the explicit consent of the data subjects must be obtained.

Transfer of Personal Data Abroad

The lawful transfer of personal data to third countries may only take place in compliance with appropriate data protection standards or other legal bases. Information on countries with an adequate level of data protection can be found at this link. Article 16 paragraph 2 FADP regulates the conditions for transfers to third countries not listed in the list.

Processing of Personal Data Abroad

If a company has personal data processed by third parties, it is responsible for ensuring that the data processing complies with applicable data protection regulations. A data processing agreement is generally concluded for such processing.

Technical and Organizational Measures

According to Article 8 FADP, suitable technical protection mechanisms and organizational processes must be established to minimize data protection risks and protect personal data.

Privacy by Default and Privacy by Design

When designing, developing, and upgrading IT systems, the principles of data protection and IT security must be integratively taken into account according to Article 7 FADP. Implementation should include preset privacy measures that serve to protect the privacy of users. Individuals should be protected from potential risks to their rights and freedoms without having to take active measures themselves.

Employee Training

Employees must be trained at appropriate intervals on data protection and data protection processes. This is usually done through e-learning or face-to-face training.

Information Obligations

The company ensures that data subjects can obtain all relevant information about data processing according to Article 19 FADP. In certain cases, the information obligation may be waived (Article 20 FADP). If a website is operated, the information obligation is usually fulfilled by a privacy policy published on the website.

Right to Information/Data Disclosure

Data subjects can demand information and disclosure of their data according to Article 25 FADP. The company has an obligation to provide information, which also applies to contract data processing. Information is usually to be provided free of charge within 30 days. Data subjects also have the right to deletion or correction of their data.

Employees' Right to Information

Employees also have the right to information about the processing of their data in the company (information, correction, objection).

Data Breaches

Employees must report violations of data protection to the responsible authority in the company as soon as possible. In the case of violations with expected high risk, immediate notification to the Federal Data Protection and Information Commissioner (FDPIC) must be made, indicating the nature of the violation, its impact, and the measures taken or planned.

The penalties for violations of the Data Protection Act were significantly increased with the revision - they can amount to up to CHF 250,000. Specifically, this concerns the breach of obligations to inform, provide information, and cooperate, as prescribed in the Data Protection Act. This includes, for example, obtaining personal data without informing the affected individuals, refusing or providing incorrect information when someone requests information about whether personal data is being processed in your company.

The sanctions target the responsible individual, not the company. This does not necessarily mean that employees who make a mistake will be punished, but rather those individuals who are responsible for data protection according to the internal organization of the company. In a small company, this is usually the owner.